[Thinlinc-technical] Requests regarding ThinLinc client (Linux)

Fri May 31 21:02:04 CEST 2013

Hello Aaron,

Am 31.05.2013 um 13:07 schrieb Aaron Sowry <aaron at cendio.se>:

>> 1) As we supply the password on command-line via the "-p" option
>> potential hackers could easily retrieve the user password in clear text
>> by simply listing all running processes via the "ps" command on linux.
> 
> There are actually 2 ways to achieve this with ThinLinc:
> 
> 1) The ThinLinc client has an option "--askpass PROGRAM" (see "tlclient
> --help" and [1]). Whether this will work for you or not depends on the
> program which is asking the user for their login information, however it
> is worth a look.

Thanks for the hint in using the --askpass / -P option. In fact, I think I found a way to read in the password from stdin and supply it via -P to thinlinc. Our current solution seems to be executing the thinlinc client via the following command-line sequence:

echo PASSWORD | /opt/thinclient/bin/tlclient -u USERNAME -P cat SERVERNAME

Thus, by using "cat" as the askpass command the password is supplied via a stdin pipe to tlclient will immediately be forwarded to the thinlinc client (stdin redirection). This seems to work now, however, it is IMHO rather uncommon to do it that way.

> 2) Specify a per-user client configuration file, which contains the
> password. This configuration file will have the same format as
> ~/tlclient.conf, and should be set with the appropriate permissions. You
> will need to set the PASSWORD parameter (see [2]) using hexadecimal
> ASCII representations of the password characters. For example, for a
> password of "foo":
> 
> PASSWORD=666F6F
> 
> In your case, you will probably also want to set AUTOLOGIN=1 as well as
> SERVER_NAME. The ThinLinc client can then be launched as follows:
> 
> $ tlclient -C <conf_file>

We also thought about using an automatically generated config file in first place and supply it to the client, but we didn't want to generate such a file and risk seeing it being intercepted in some way. If we don't find any other problem I think our request is indeed be fulfilled with the "-P cat" solution.

>> 2) When automatically connecting to a thinlinc server by calling the
>> client with username, password and server name the client GUI always
>> pops up while trying to connect to the ThinLinc server. There is,
>> however, no option to suppress the ThinLinc client user interface
>> completely.
> 
> We do in fact have a feature-request bug for this already in our tracker
> (bug #2897). It has not been implemented yet, however. If this feature
> is important to you, and you would like to make a feature request for
> it, you can send a mail to support at cendio.se and we can discuss this
> further off-list.

Thanks for pointing me to that feature request. Indeed, this feature is really somewhat important to us as popping up the thinlinc client somehow distracts the user attention. I will therefore bring up my request to support at cendio.se soon in the hope to such such a quiet option being implemented in a future client version.

best regards,
jens
-- 
Dr. Jens Langner
Helmholtz-Zentrum Dresden-Rossendorf
Institute of Radiopharmaceutical Cancer Research
Department of Positron Emission Tomography
POB 51 01 19, 01314 Dresden, Germany
http://www.hzdr.de/ | +49 351 260 2757

Vorstand: Prof. Dr. Dr. h. c. Roland Sauerbrey
Prof. Dr. Dr. h. c. Peter Joehnk
VR 1693 beim Amtsgericht Dresden

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1981 bytes
Desc: not available
URL: <http://lists.cendio.se/pipermail/thinlinc-technical/attachments/20130531/6302feb2/attachment-0005.p7s>